Professional Documents
Culture Documents
A Comparative Study and Analysis of Some Pseudorandom Number
A Comparative Study and Analysis of Some Pseudorandom Number
DOI: 10.1002/spy2.46
ORIGINAL ARTICLE
1 INTRODUCTION
“Any one who considers arithmetical methods of producing random digits is, of course, in a state of sin”
—John von Neumann.1
Randomness is an essential criteria in many fields of computer science including simulations, cryptography, statistics and
randomized algorithms. In cryptography, randomness is generally used for the generation of keys, initialization vectors (IVs)
or nonces for an encryption algorithm. The key is an integral portion of the security as modern cryptographic algorithms are
built on the principle that the security of a system depends entirely on the key and not on the system’s design.2 This means
that all modern security algorithms and protocols have their cryptographic strength expressed in terms of size of the key that
an attacker needs to guess before breaching the security of the system.
This expression of strength implicitly assumes that the attacker has no knowledge of the number of bits of the original key
used. The effective strength of an algorithm is reduced when better attacks against it are found and more bits of the key can
be derived from looking at a portion of the output data. With advances in computational speeds and the advent of quantum
computing, there is always the looming danger of a partial/reduced round brute-force attack on such systems, if a portion of the
key can be guessed.
How to create this “Randomness”? Let us have an informal discussion. Assume that there is a function f (x) such that it
produces a random number for a given input x, following a series of operations on x and involving some fixed, well-defined
constants. The function has a remarkable property. It produces a different input every time we enter the same constant. Intuitively
and to the best of our knowledge such a function does not exist. This is because f (x) is completely deterministic in nature. If
x and the definition of f (x) is known, then for a given input x or a series of inputs (that may include time as a parameter), f (x)
will always give the same output. Hence, the algorithms being a set of instructions and deterministic in nature cannot produce
true randomness. This is beautifully summarized by John von Neumann1 in his famous quote, which is mentioned at the start
of this paper.
Security Privacy. 2018;1:e46. wileyonlinelibrary.com/journal/spy2 © 2018 John Wiley & Sons, Ltd. 1 of 8
https://doi.org/10.1002/spy2.46
2 of 8 SINHA ET AL .
T 1 , frequency test; T 2 , frequency test within a block; T 3 , runs test; T 4 , longest-run-of-ones in a block test; T 5 , binary matrix rank test; T 6 , discrete
Fourier transform (spectral) Test; T 7 , non-overlapping template matching test; T 8 , overlapping template matching test; T 9 , Maurer’s “Universal
Statistical” test; T 10 , linear complexity test; T 11 , serial test; T 12 , approximate entropy test; T 13 , cumulative sums (Cusums) test; T 14 , random
excursions test; T 15 , random excursions variant test; n, minimum length of the sequence obtained from a PRNG.
Then how can we get this randomness for the robust design of any cryptosystem? Following techniques are generally used:
i We can integrate a physical source of randomness, like thermal noise in a resistor, in a cryptosystem. In such kinds of
system, the speed of the generator can be an issue that can create a bottleneck on the overall performance of the system.
ii Using a cryptographically secure PRNG (CSPRNG) as a stand alone or with the physical source as a seed generator for the
CSPRNG.
For a pseudorandom number generators (PRNG) to be cryptographically robust, it should satisfy the following conditions3 :
a Statistical difference: The chance of finding distinctions between the statistical properties of the PRNG sequence as compared
to that of a truly random sequence, by any polynomial-time algorithm, should not be significantly greater than 0.5.
b Next-bit prediction: Given first k bits of the PRNG sequence, the chances of predicting the next bit, that is, . (k + 1)th bit,
by any polynomial-time algorithm, should not be significantly greater than 0.5.
It is interesting to note that both conditions need to hold simultaneously and one does not imply the other.
The paper is organized as follows. In Section 3, we have briefly discussed the different tests proposed by NIST and the parameters
used in these tests. In Sections 4-7, we have discussed the LCG,4 Wichmann-Hill,5 WELL6 and MIXMAX7 PRNGs and their
performances based on the NIST Test Suit. In Section 7, we have concluded the paper with comparative comments on the LCG,
Wichmann-Hill, WELL and MIXMAX PRNGs.
There are lots of test-packages available in the literature that detect a certain kind of weakness present in the sample sequence
obtained from a PRNG algorithm. Some famous packages can be found in.8–12 All these tests have their own respective places
in the testing and strictness spectrum. While Marsaglia’s tests9 are not so vigorous, however, the test called TestU0112 proposed
in 2007 is so strict that statisticians opine that given a huge sample every generator gets disqualified by this test. We, therefore,
choose the NIST standards for its strict but a not so extremist approach for the comparative analysis. The Table 1 illustrates the
tests proposed by NIST10 along with the details for a given bit sequence.
The NIST Test Suite targets mainly the condition (a) required for a CSPRNG. The tests, in general, produce a P-value.10 The
P-value is compared with the significance level (𝛼) which is defined by the tester. In this study, 𝛼 has been taken as 0.01. If
for agiven test, P-value of a sequence is less than 𝛼, the sequence is said to have failed the test. Tests like “Non-overlapping
SINHA ET AL . 3 of 8
Template matching”, “Random Excursion” and “Random Excursion Variant” do not generate a single P-value.10 For the above
three tests, the description on what to do if one of the P-values indicate non-randomness is quite vague. In this study, we assume
that any PRNG is not secure if it fails one or more tests described in the Table 1. For all the PRNGs considered, we have
tested 1000 sequences, with each sequence being of 1 000 000 bits length. For each test, we calculate S, which is the number
S
of sequences passing, PR, which is the passing ratio, that is, 1000 . If PR lies in the confidence interval of 0.99 ± 0.0094392, the
PRNG is said to have passed the test.
4 LCG PRNG
The LCG represents one of the oldest and best-known techniques to produce the pseudorandom sequence of bits. The LCG can
be defined by the tuple (m, a, c), which is shown in the recurrence relation given below:
Xn+1 = (𝑎𝑋 n + c) mod m. (1)
The X n represents the nth term of the sequence, a is the multiplier, c is the increment, and m is the modulus. The performance
of the LCG is very sensitive to the choices of the parameters m, a, and c. Let’s see how it fares up against the NIST Test Suite.10
In Table 2, we enlisted some popular implementation of different LCGs.
The performance of LCGs is shown in Table 3–21. The results indicate that all the LCGs given in Table 2 perform poorly
against the NIST Test Suite.
TABLE 2 LCGs with different m, a, and c in common use in runtime libraries of various compilers4
No. Source m a c
1. GNU scientific library 232 1 664 525 1 013 904 223
2. Borland C/C++ 232 22 695 477 1
3. Glibc (used by GCC) 231 -1 1 103 515 245 12 345
4. ANSI C: Watcom, digital Mars, CodeWarrior, IBM VisualAge C/C++C99, C11 231 1 103 515 245 12 345
5. Borland Delphi, virtual Pascal 232 134 775 813 1
6. Microsoft visual/quick C/C++ 232 214 013 2 531 011
7. Microsoft visual basic (6 and earlier) 224 1 140 671 485 12 820 163
8. RtlUniform from native API 231 –1 2 147 483 629 2 147 483 587
9. Apple CarbonLib, C++11’s minstd_rand0 231 -1 16 807 0
10. C++11’s minstd_rand 231 -1 48 271 0
11. MMIX 264 6 364 136 223 846 793 005 1 442 695 040 888 963 407
12. Newlib, Musl 264 6 364 136 223 846 793 005 1
13. VMS’s MTHRANDOM, old versions of glibc 232 69 069 1
14. Java’s Java.Util.Random, POSIX rand48, glibc rand48[_r] 248 25 214 903 917 11
15. random0 134 456 8121 28 411
16. POSIX [de]rand48, glibc [de]rand48[_r] 248 25 214 903 917 11
17. cc65, Sydney 2016 223 65 793 4 282 663
18. cc65 232 16 843 009 826 366 247
19. RANDU 231 65 539 0
5 WICHMANN-HILL P RNG
The Wichmann-Hill, also known as AS-183, is a PRNG that is a combination of three LCGs with different m, a, and c.5 The
output of the three LCGs (each belonging between 0 and 1) are summed (modulo 1) to produce the result, which is nothing but
the fractional part of the sum. The values of m, a, and c are fixed5 and the procedure is given as Algorithm 1. The seed values
for s1 , s2 , and s3 should be between 0 and 30 000.
Clearly, the Wichmann-Hill algorithm performs better than a single LCG against the NIST Test Suite. We have shown the
performance of the Wichmann-Hill PRNG against the NIST Test Suite in Table 22.
6 WELL PRNG
The WELL PRNG6 is a form of Linear Feedback Shift Register (LFSR) specifically suited for 32-bit machines. The WELL
can be defined by the parameters (k, w, r, p, m1 , m2 , m3 , M 0 , M 1 , M 2 , M 3 , M 4 , M 5 , M 6 , M 7 ), where k = rw + p, r > 0 and
0 ≤ p < w, mp is the bit-mask and M i is the transformation matrix of size w × w. There can be six possible transformations
as defined in.6 It is also very interesting to note that if M 1 = M 2 = M 3 = M 6 × M 2 ⊕ M 7 × M 2 = M 6 × M 3 ⊕ M 7 × M 3 and
M 0 = M 5 × M 1 ⊕ M 7 × M 1 = I. Here, I is the identity matrix and M 4 is a matrix with only nonzero elements are on the first line
and on the first sub-diagonal (which contains all 1’s), then WELL reduces to the “Mersenne Twister”.13 The general algorithm
for WELL6 is reproduced as Algorithm 2.
The NIST Test Suite was applied to WELL512a, WELL1024a, WELL19937a, WELL19937c, WELL44497a and
WELL444497b. The PR corresponding to each test is shown in Table 23.
7 MIXMAX PRNG
The MIXMAX PRNG is based on k-mixing Kolmogorov systems.7,14 The generator is described mathematically as follows:
∑
N
ui (t + 1) = A𝑖𝑗 × uj (t) mod 1. (2)
j=1
1 2
T13 : Cusums Forward Test; T13 : Cusums Backward Test.
SINHA ET AL . 7 of 8
The initial seed value u0 may be a vector with a non-zero component. An efficient implementation is presented in,15 with
size of the matrix being 240, special entry in the matrix is 487 013 230 256 099 140, special multiplier is m = 251 + 1. We have
performed NIST Test Suite on the MIXMAX PRNG and the results are presented in the Table 24.
8 CONCLUSION
Based on the NIST Test Suit results on different LCG PRNGs, we observed that all the LCGs have performed very poorly
over other PRNGs. However, a linear combination of LCGs, which is defined as Wichmann-Hill PRNG, has fared well against
the NIST Suite Test. However, Wichmann-Hill PRNG fails the “Serial Test”. The different implementations of WELL PRNG
perform better than the Wichmann-Hill PRNG. Note that certain implementations like WELL512a, WELL44497b fail the
“Serial Test”. The MIXMAX PRNG outperforms the above three generators convincingly as it does not fail the “Serial Test’.
However, due to the strong failure assumption for “Non-Overlapping Test” (it generates 148 P-values), “Random Excursions
Test” (it generates 8 P-values) and “Random Excursions Variant Test” (it generates 18 P-values), all the generators considered
in this paper failed these tests. The PR value was exceptionally low for the “Non-overlapping Template Matching Test” due to
the very high chances of failure (any 1 out of 148) compared to the “Random Excursions Test” (any 1 out of 8) and “Random
TABLE 24 Performance of the MIXMAX PRNG against the NIST test suite
1 2
Test T1 T2 T3 T4 T5 T6 T7 T8 T9 T 10 T 11 T 12 T13 T13 T 14 T 15
S 990 985 988 993 987 985 244 992 990 991 984 984 984 991 905 910
PR 0.99 0.985 0.988 0.993 0.987 0.985 0.244 0.992 0.99 0.991 0.984 0.984 0.984 0.991 0.905 0.91
Verdict Pass Pass Pass Pass Pass Pass Fail Pass Pass Pass Pass Pass Pass Pass Fail Fail
8 of 8 SINHA ET AL .
Excursions Variant Test” (any 1 out of 18) based on the assumption that one P-value failure implies the failure for the test.
Therefore, based on test results, none of the generators considered in this paper should be used for cryptographic applications.
CONFLICT OF INTEREST
The authors declare no potential conflict of interests.
ORCID
REFERENCES
1. von Neumann J. Various techniques used in connection with random digits, Collected Works. Vol. 5, New York: Macmillan; 1963.
2. Kerckhoffs A. Militaire cryptographie. J Mil Sci. 1883;IX:48-83.
3. Menezes AJ, van Oorschot PC, Vanstone SA. Handbook of Applied Cryptography. 5th ed. USA: CRC Press, Inc.; 2001.
4. Frieze AM, Kannan R, Lagarias JC. Linear Congruential generators do not produce random sequences. Proceedings of the 25th Annual Symposium on Foundations
of Computer Science; USA: IEEE; 1984:480-484.
5. Wichmann BA, Hill D. Correction: algorithm AS 183: an efficient and portable pseudo-random number generator. J R Stat Soc Ser C Appl Stat. 1984;33(1):123.
6. Panneton F, L’Ecuyer P, Matsumoto M. Improved long-period generators based on linear recurrences modulo 2. ACM Trans Math Softw. 2006;32(1):1-16.
7. Savvidy KG, Ter-Arutyunyan-Savvidy NG. On the Monte Carlo simulation of physical systems. J Comput Phys. 1991;97(2):566-572.
8. Knuth DE. The Art ofComputer Programming. Vol 2. 2nd ed. Reading, MA: Addison-Wesley; 1981.
9. G. Marsaglia, Diehard: A Battery of Tests of Randomness. http://stat.fsu.edu/pub/diehard/
10. Rukhin A, Soto J, Nechvatal J, et al. A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications. USA: NIST Special
Publication; 2001.
11. Gustafson H, Dawson E, Nielsen L, Caelli W. A computer package for measuring strength of encryption algorithms. J Comput Sec. 1994;13(8):687-697.
12. L’Ecuyer P, Simard R. TestU01: a software library in ANSI C for empirical testing of random number generators. ACM Trans Math Softw. 2007;33(4):22-40.
13. Matsumoto M, Nishimura T. Mersenne twister: a 623-dimensionally equidistributed uniform pseudo-random number generator. ACM Trans Mod Comput Simul.
1998;8(1):3-30.
14. Savvidy KG. The MIXMAX random number generator. Comput Phys Commun. 2015;196:161-165.
15. Savvidy K, Savvidy G. Spectrum and entropy of C-systems MIXMAX random number generator. Chaos Solitons Fractals. 2016;91:33-38.
How to cite this article: Sinha S, Islam SKH, Obaidat MS. A comparative study and analysis of some pseudorandom
number generator algorithms. Security and Privacy 2018;1:e46. https://doi.org/10.1002/spy2.46